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Abstract 

Recent advances in theoretical and experimental quantum computing bring us closer to 
scalable quantum computing devices. This makes the need for protocols that verify the correct 
functionality of quantum operations timely and has led to the field of quantum verification. 
In this paper we address key challenges to make quantum verification protocols applicable to 
experimental implementations. We prove the robustness of the single server verifiable universal 
blind quantum computing protocol of Fitzsimons and Kashefi |T] in the most general scenario. 
This includes the case where the purification of the deviated input state is in the hands of an 
adversarial server. The proved robustness property allows the composition of this protocol with 
a device-independent state tomography protocol that we give, which is based on the rigidity 
of CHSH games as proposed by Reichardt, Unger and Vazirani [2]. The resulting composite 
protocol has lower round complexity for the verification of entangled quantum servers with a 
classical verifier and, as we show, can be made fault tolerant. 


Keywords: Delegated Quantum Computation, Quantum Verification, Device Independence, Com¬ 
position, Fault Tolerance 

1 Introduction 

While the prospect of commercially available universal quantum computing is still distant, a num¬ 
ber of experiments involving multi-qubit systems have recently been developed. Irrespective of 
their applications, these technologies require methods and tools for verifying the correctness of 
their operations. Assuming that quantum computing is more powerful than classical computing, 
a simulation-based approach for quantum verification of devices with sufficiently large number of 
qubits, becomes practically impossible. Aaronson and Arkhipov showed in |3j that even a rudimen¬ 
tary quantum computer constructed with linear-optical elements cannot be efficiently simulated. 
Similarly, verifying the correct preparation of a general n qubit state via state tomography also 
involves exponential overhead since it requires collecting statistics from 4 n separate observables [4]. 
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The verification of quantum devices becomes more complicated when the functionality involves 
cryptographic primitives. In these cases, incorrect operations could be the result of actions of 
an adversary. Thus it becomes necessary to guarantee the security of the application under certain 
assumptions about the devices. Ideally a protocol should remain secure even if the devices are faulty 
and partially controlled by adversaries. This would lead to a solution that is device-independent and 
robust. However, generating such protocols has proven difficult. Even in quantum key distribution, 
a complete proof of security for a device-independent protocol, in the presence of noise, has been 
achieved only recently [5], 

The issue of verification needs to be resolved to be able to exploit successfully any future 
quantum computers. Moreover, one expects that the first large scale quantum devices are unlikely 
to be personal computers. Instead, they will probably function as servers to which clients can 
connect and request the computation of some difficult problem. The client may also require his 
computation to be private, i.e. require that the server does not learn anything about it. We should 
therefore construct protocols that verify an arbitrary delegated quantum computation and prove 
the security and correctness of this verification technique. 

The approaches that have been so far successful are those based on interactive proof systems 
Eld, where a trusted, computationally limited verifier (also known as client, in a cryptographic 
setting) exchanges messages with an untrusted, powerful quantum prover, or multiple provers (also 
known as servers). The verifier attempts to certify that, with high probability, the provers are 
performing the correct quantum operations. Because we are dealing with a new form of computation, 
the verification protocols, while based on established techniques are fundamentally different from 
their classical counterparts. A number of quantum verification protocols have been developed, for 
different functionalities of devices and using a variety of different strategies to achieve verification 
[H El El El m El El El El El El E]- The assumptions made depend on the specific target 
and desired properties of the protocol. For example, if the emphasis is on creating an immediate 
practical implementation, then this should be reflected in the technological requirements leading 
to a testable application with current technology H7]. Alternatively, if the motivation is to prove a 
theoretical result, we may relax some requirements such as efficient scaling [2j]. An important open 
problem in the field of quantum verification, is whether a scheme with a fully classical verifier is 
possible HHlEj. We know, however, that verification is possible in the following two scenarios: 

1. A verifier with minimal quantum capacity (ability to prepare random single qubits) and a 
single quantum prover [T]. This is the Fitzsimons and Kashefi (FK) protocol. 

2. A fully classical verifier and two non-communicating quantum provers that share entanglement 
[20] . This is the Reichardt, Unger and Vazirani (RUV) protocol. 

One of our objectives is to obtain a device independent (allowing untrusted quantum devices) 
version of the FK protocol, by composing it with the RUV protocol. The additional properties 
we aim to achieve from this composition are fault tolerance (allowing noisy devices) and reduced 
round complexity. Composing protocols can indeed be fruitful since it could lead to new protocols 
that inherit the advantages of both constituents. The universal composabillity framework, allow¬ 
ing for secure compositions, has been successfully extended to the quantum realm mmm- 
Recently, the security of single server verifiable universal blind quantum computing protocols has 
been demonstrated in an abstract cryptographic framework |23J that is also known to be equivalent 
to the simulation-based composability framework. However this setting does not fulfil the neces¬ 
sary requirements for our composition. This is because, when combining a single server verification 
scheme (FK) with an entangled server scheme (RUV), there exists the possibility of correlated 
attacks, which are not explicitly treated in the composability framework. Such attacks can occur 
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when an untrusted server’s strategy is correlated with deviations in the protocol’s input state. Our 
robustness result resolves this issue in the stand alone composition setting and the same technique 
could potentially be extended to the composable framework of |22J, thus resolving the problem of 
correlated attacks. 

The type of composition that we require is sequential. We take the output of the first protocol 
and use it as input for the second. However, in general, the output of the first protocol is not 
necessarily an acceptable input for the second protocol. In particular, since the verification protocols 
are probabilistic, their outputs typically deviate by a small amount from the ideal one. Thus, it 
is necessary that the second protocol remain secure even if the input is slightly deviated from the 
ideal one. Moreover, we make sure that adversaries cannot exploit any correlations between the 
deviated input and their strategy to compromise the security of the protocol. Therefore to securely 
compose the protocols, we need to address these new type of attacks. The main results of this paper 
can be summarised as follows: 

1. We prove that the FK protocol is strongly robust, see Theorem [lj First, we show that FK 
can tolerate inputs which deviate from their ideal values by a small amount, see Lemma [7J 
However, for composition with other protocols a stronger property is needed. We therefore 
proceed to show that the FK protocol is robust even when the deviated input is correlated 
with an external system possessed by an adversary (for example the provers’ private systems 
in the RUV protocol), see Lemma |8j 

2. An immediate consequence of the robustness theorem is that we can construct a composite 
protocol combining RUV with FK. The required input states for the FK protocol are prepared 
via the state tomography sub-protocol of RUV. Our composite protocol inherits the device 
independence property of RUV, see Theorem [3} Additionally, since we do not require the full 
RUV protocol, the composite protocol also has an improved round complexity. 

3. Lastly, we address the distinction between robustness and fault tolerance and show how the 
FK protocol can be made fault tolerant, thereby making our proposed composite approach 
fault tolerant as well. 


In Section 1.1 we give some preliminaries. In Section [2] we present the main results, that we sum¬ 


marised above, and outline their proofs. In particular we give robustness in Subsection 2.1 


com¬ 


position in Subsection |2.2| and fault tolerance in Subsection |2.3[ Further details of the proofs are 
given in Section [3] for robustness, in Section [4] for composition and in Section [5] for fault tolerance. 
We conclude in Section [6l 


1.1 Preliminaries 

We first introduce the relevant concepts used in describing verification protocols and then briefly 
present the two protocols we will built on (FK and RUV). 

1.1.1 Interactive Proof Systems 

As explained in mm, a language £ is said to admit an interactive proof system if there exists a 
computationally unbounded prover V and a BPP verifier V, such that for any x € C, V convinces 
V that x € C with probability > |. Additionally, when x 0 C, V convinces V that x € C with 
probability < ^. Mathematically, we have the following two condition^ 

Note that completeness can be viewed as the probability of the verifier accepting when the prover is honest. 
Similarly, soundness is the probability of accepting, when the prover is dishonest. 
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• Completeness: Pr(V -H- V accepts x \ x G C) > | 

• Soundness: Pr(V -H- V accepts x \ x C) < | 

The set of languages which admit such an interactive proof system define the complexity class IP. 
We are interested in the case when the prover is a polynomial-time quantum computer (i.e. a BQP 
machine). In |lf)| . the first definition of such a quantum interactive proof system was given, which 
we use here: 

Definition 1. [lW Quantum Prover Interactive Proof (QPIP) is an interactive proof system with 
the following properties: 

(i) The prover is computationally restricted to BQP. 

(ii) The verifier is a hybrid quantum-classical machine. Its classical part is a BPP machine. The 
quantum part is a register of c qubits (for some constant c), on which the prover can perform 
arbitrary quantum operations. At any given time, the verifier is not allowed to possess more 
than c qubits. The interaction between the quantum and classical parts is the usual one: 
the classical part controls which operations are to be performed on the quantum register, 
and outcomes of measurements of the quantum register can be used as input to the classical 
machine. 

(Hi) There are two communication channels: one quantum and one classical. 

The completeness and soundness conditions are identical to the IP conditions. 

We are also interested in interactive protocols that use more than one prover. There are only two 
differences, first that the verifier can interact with multiple provers instead of just one, and second 
that the provers are not allowed to communicate. The conditions for completeness and soundness 
remain unchanged. The analogous complexity class that involves multiple provers is called Multi- 
Prover Interactive Proof System and denoted MIP |25| . It is defined as the set of all languages which 
admit an interactive proof system with one or more non-communicating provers. If the number of 
provers is fixed to be k , the corresponding complexity class is MIP[/c], A closely related class is 
MIP* where the multiple non-conununicating provers share entangled states. 

In all of these cases, the verifier is essentially delegating a difficult computation to the prover(s). 
This computation can be universal with respect to the computation model of the prover(s). In our 
case, this means universal for polynomial-time quantum computations. The number of classical 
messages exchanged between the verifier and the prover, throughout the run of the protocol, as a 
function of the input size is known as the round complexity of the protocol. 

1.1.2 Quantum Protocols 

Throughout this subsection, we assume the reader is familiar with the teleportation-based and more 
generally measurement-based quantum computing (MBQC) models, described in detail in [26, 27] , 
We first summarise the FK protocol [T] which is a QPIP protocol. It is also known as uncon¬ 
ditionally secure, verifiable, universal blind quantum computing. The protocol is “blind” which 
means that no information about the computation is leaked to the prover, apart from its size. This 
property can be exploited by allowing the verifier to insert hidden “traps” within the computation. 
The traps are deterministic tests which the verifier can perform in order to verify that the prover 
is not deviating from the protocol. Blindness ensures that the traps are indistinguishable from the 
computation. 
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The basic idea of this protocol is that the verifier prepares and sends qubits to the prover. The 
prover entangles these qubits and then performs adaptive measurements (sending the measurement 
outcomes to the verifier) that will overall implement a certain unitary operation, as in the MBQC 
model of computation. The traps are single isolated qubits, disentangled from the rest of the 
computation, and when measured in suitable bases give deterministic outcomes that are known to 
the verifier (but not to the prover). Since the prover is completely blind and does not know which 
qubits are traps and which are part of the actual computation, any attempt to cheat has some 
probability to affect the trap and thus be detected. 

The FK protocol is based on a universal resource state for the MBQC model, known as the 
dotted-complete graph state. The details of this resource state are not crucial for understanding 
this paper, apart from the fact that, as part of the FK protocol, the appropriate operators are 
performed by the untrusted server to prepare this generic state. In particular, a series of controlled- 
Z operators are performed by the server, according to the dotted-complete graph structure, for 
entangling the individual qubits prepared in advance by the verifier. These initial qubits, that are 
sometimes referred to as the input of the FK protocol, are sent to the server at the first stage 
of the protocol. This fact is used to prove some basic properties needed for our main robustness 
result, see Theorem [2] Therefore, for the purpose of completeness, we state here the definition of 
the dotted-complete graph state, taken from |Tj, see also Figure [I] 

Definition 2. J 1] Let Kn denote the complete graph of N vertices. Define the dotted-complete 
graph, denoted as Kn, to be a graph where every edge in I\n is replaced with a new vertex connected 
to the two vertices originally joined by that edge. We call the quantum state corresponding to Kn 
the dotted-complete graph state. This multi-partite entangled state is prepared by replacing every 
vertex with a qubit in the state |+) and applying a controlled-Z operator for every edge in the graph. 


-A 


K 6 K 6 

Figure 1: An example of a complete graph, Kq, and its corresponding dotted-complete graph Kq. 

The family of dotted-complete graph states is universal for quantum computation. Moreover, 
any other graph state could be obtained from a large enough dotted-complete graph state by 
applying the appropriate Pauli measurements over some of the vertices (the ones shown in white, 
in Figure [I]). Concretely, in order to construct any desired graph of N vertices from a dotted- 
complete graph Kn, Pauli Y measurements are performed in order to keep a specific edge, and 
Pauli Z measurements in order to remove it (alternatively, one could use the states 10), |1) for the 
edges which should be removed, instead of performing a Pauli Z measurement). This can be done 
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Protocol 1 Fitzsimons, Kashefi QPIP Protocol from [1J 

Assumptions 

The verifier wants to delegate a quantum computation described by the graph G and specific 
measurement angles fa E {0, 7t/4...T7t/ 4} chosen to define a desired computation. He chooses 
a security parameter d and encodes this graph into the topological error correcting scheme of 
Raussendorf, Harrington and Goyal [28], that can correct or detect errors with weight less than d. 
The encoded graph, Q, will have N qubits. He then considers a random hidden partitioning of the 
vertices of the dotted-complete graph /C 37 V into 3 subgraphs: the computation graph Q. and two 
different types of isolated traps which the verifier will use in order to test the prover’s honesty in 
performing measurements. All measurements are performed in the AT-plane. 

Protocol 

1. Verifier prepares and sends the 3N(3N + l)/2 qubits to the prover (the number of vertices in 
/C 3 jv)- These consist of dummy qubits which are either |0) or |1) (isolating their neighbouring 
vertices from the rest of the computation) and computation or trap qubits which are of the 
form l+e) = ^(|0) + e l6 \l)), where 6 E {0, 7 t/ 4 ... 77 t/ 4 }. 

2. The prover entangles the qubits according to the structure of the 1C 37 V graph by applying 
controlled-Z operations between any pair of vertices that are connected with an edge. 

3. For each qubit i, the verifier computes the measurement angle Si = 9, + </>( + rtir, where <f! i 
is the adapted version of the computation angle fa, and r t is a randomly chosen bit {0,1}. 
Adapted computation angles are used to account for corrections from previous measurements. 
The measurement angles fa, for the trap qubits, are randomly fixed to be 0 or n. However, due 
to blindness provided by the initial 0i rotations in the preparation of individual qubits (Step 1 
above), the value of Si is uniformly distributed over the set {0, 7 t/4...T7t/ 4}. The verifier sends 
these measurement angles one by one to the prover. The prover measures each corresponding 
qubit in the | +y.), |—$.) basis, and sends his reply Ip to the verifier. 

4. The verifier accepts if for all trap qubits, the reported measurement outcome bt is the same 
as the expected outcome r t . 


blindly in order to hide the target graph. The detailed construction is not important for the rest of 
this paper and hence omitted (see Section 5 in HI)- We give a brief description of FK, shown here 
as Protocol [U 

According to Definition [I] the quantum channel between verifier and prover is one-way (from the 
verifier to the prover). Moreover, the constant c, representing the number of qubits that the verifier 
can possess at any given time, is exactly one. We refer the reader to [T] for a more in depth 
description of the protocol and its associated concepts. However, we recall the key properties of the 
protocol in the following lemma. 

Lemma 1. Assuming the verifier wants to delegate the computation of a circuit of size N, the 
FK protocol has 0(N 2 ) round complexity and uses 0(N 2 ) qubits with completeness being exactly 1 
while the soundness is upper bounded by (2/3) ^1, where d is the security parameter. 

Proof. It is clear from Protocol [I] that the total number of qubits used in the protocol is 3N(3N + 
l)/2, where N is the number of qubits for the encoded graph Q. Additionally, we have the same 
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number of rounds of classical communication, corresponding to the measurements of qubits in the 
dotted-complete graph (each measurement requires 3 classical bits to specify the measurement angle 
and 1 bit to specify the outcome). Both the overall round complexity and the required quantum 
resources are thus 0(N 2 ). 

As described in Protocol [lj the verifier accepts if and only if all trap measurements succeed. This 
is always the case if the prover is honest and follows the instructions, since the trap measurements 
are deterministic. Therefore, the probability that the verifier accepts when the prover is honest is 
exactly 1 (completeness). On the other hand, it is shown in |I] that in the case of classical output, 
the protocol is (2/3)^"5"!-verifiable, meaning the soundness is upper bounded by (2/3)^“5 _ ^. □ 

Next we summarise the RUV protocol [2] which is a MIP* protocol. It relies on the rigidity of 
CHSH games [29i[20j to test the honesty of the provers (c.f. traps at the FK protocol), and on gate 
teleportation to perform the computation. In particular, the verifier directs the provers to perform 
a series of local measurements of their parts of the shared entangled states. The purpose of this 
is to check for statistical violations of Bell’s inequality. At the same time, the verifier makes the 
provers teleport quantum states into gates in order to perform his desired quantum computation 
[20j. Importantly, the verifier alternates between these strategies in such a way that the provers are 
not aware (they are blind) in which strategy their measurement belongs. Moreover, the two provers 
cannot use previous results in order to deviate from the protocol (i.e. there is no adaptive cheating 
strategy). This is summarised as Protocol [2j Due to the rigidity of the CHSH games, as proved 
in [2], the verifier can determine if the two provers are being honest or not from the statistical 
outcomes. To ensure the verification of universal computations, the resource preparation stage of 
the protocol will prepare multiple copies of the states: 

{p | 0 >, (HPh \r), ( GY) 2 \r ), CNOT 2 A P 2 Q 4 (\r) ® \r)) ■ P,Qe{I,X,Y,Z }} 

Here, \if*) denotes the Bell state which is shared among the two provers. In fact the 

provers share multiple copies of 1 4>*), each prover having one qubit from each Bell pair. Without 
loss of generality, we can assume that prover 1 has the first qubit and prover 2 has the second 
qubit. The Hadamard, Phase and controlled-Not gates (denoted as {H, G, CNOT}) constitute a 
universal gate set for quantum computation. The subscript indices indicate on which qubits the 
gate acts. An arbitrary quantum circuit is thus simulated by repeatedly doing gate teleportations, 
while keeping the computation blind from the two provers the entire time. 

Lemma 2. Assuming the verifier wants to delegate the computation of a circuit of size n, the round 
complexity of the RUV protocol is 0{n c ), where there exists some constant c, such that c > 8192. 

Proof. To determine an upper bound for the round complexity we only need to inspect the number 
of rounds of CHSH games, since the protocol randomly alternates between this and the other three 
subprotocols. As shown in Protocol[2j the verifier plays N sets of CHSH games with the two provers. 
Each set consists of qn s games and n s > n 64 . Additionally, it is required that N > (gn s )“ _1 , where 
n a / 2 > n 64 , so a > 128. These conditions are necessary for the correctness of the state tomography 
and process tomography subprotocols m- We then have that N > dn 8128 , where d is a constant of 
the form d = g“ _1 . This is the number of sets of CHSH games and hence the number of required 
games is lower bounded by n 8192 . It follows that the number of rounds is 0(n c ), where c > 8192. 
Note that by “lower bounded” we refer to the case when all of the CHSH statistics are consistent 
and the verifier does not reject. In the case of inconsistent statistics, the verifier can reject before 
playing n 8192 games. □ 
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The subprotocols of the RUV protocol are themselves verification protocols as proved in [20] . 
The subprotocol that we will use is the state tomography protocol. As part of the RUV protocol, it 
is used to prepare resource states which are XZ-determined , i.e. states that are uniquely determined 
by their traces against X and Z operators. To compose the RUV with the FK protocol we will use 
a modified version of the state tomography subprotocol, so that we can prepare all states that are 
allowed inputs for the FK protocol. We will give the modified protocol in the next section. 


Protocol 2 Reichardt, Unger, Vazirani MIP* Protocol from [20] (for two provers) 

Assumptions 

The verifier delegates a quantum circuit of size n to two quantum provers. Let n s = n“/ * 1 2 3 4 > n 64 , 
q = 11, n g = qn s , N > n g 1 and 5 = l/(6n Q//8 ). The two provers share Nn g Bell states. 

Protocol 

The verifier alternates randomly between four subprotocols. He chooses the first three with proba¬ 
bility (1 — 6)/ 3) and the last one with probability <5. 

1. CHSH games. The verifier referees N sets of sequential CHSH games, each consisting of n g 
games between the provers. He rejects if they win less than: 

cos 2 (tt/8 )Nn g - ~^=^ Nn g log (Nn g ) 
of the games. 

2. State tomography. The verifier chooses K E [ N] uniformly at random and referees K — 1 
sets of CHSH games. He sends the questions from the A'th set to prover 1 , while running a 
state tomography protocol with prover 2. In this protocol prover 2 is asked to prepare g-qubit 
resource states by measuring his halves of the shared Bell states. This will collapse prover l’s 
states to the same (/-qubit resource states up to corrections. The verifier checks this using the 
CHSH measurement outcomes from prover 1. These outcomes tomographically determine the 
states that are being prepared. He rejects if the tomography statistics are inconsistent. 

3. Process tomography. The verifier chooses K E [. N ] uniformly at random and referees K — 1 
sets of CHSH games. He sends the questions from the A'th set to prover 2, while running a 
process tomography protocol with prover 1. In this protocol prover 1 is asked to perform Bell 
measurements on his halves of the shared Bell states. The verifier checks this using the CHSH 
measurement outcomes from prover 2. He rejects if the tomography statistics are inconsistent. 

4. Computation. The verifier chooses K E [N] uniformly at random and refereed K — 1 
sets of CHSH games. In the A'th game he runs a state tomography protocol with prover 2 
and a process tomography protocol with prover 1. The combination of these two achieves 
computation via gate teleportation. 







2 Main Results 


2.1 Robustness 

The first result we prove is that the FK protocol is robust with respect to small variations in the 
input. Throughout this paper, by “input” we are referring to the quantum states that the verifier 
sends to the prover and not the computation input. Without loss of generality we can assume that 
the desired computation that will be delegated to the server has the fixed classical input 0,... 0. 
Dealing with arbitrary classical or quantum input is straightforward, as explained in [1], and makes 
no difference for our result. Hence, for the rest of this paper we define the input state of the FK 
protocol to be the tensor product of the individual qubits prepared by the verifier, comprising the 
dotted-complete graph before the prover applies controlled-Z to entangle them (these include the 
computation, trap and dummy qubits). 

The fact that FK is robust means that the protocol’s input state can be deviated from its ideal 
value by some small amount and the protocol will continue to function. In particular, this input 
state could be the output of some other protocol, provided that this state was close to its ideal 
value. As we will see in the next subsection, the RUV protocol is capable of such a preparation. 
We start by formally defining robustness in this context. 

Definition 3 (Robustness). A verification protocol with quantum input is robust if, given that the 
protocol input is e-close in trace distance to the ideal input, in the limit where e —> 0 the completeness 
and soundness bounds remain unchanged. 

Mathematically, if we denote the multi-qubit input state as p , and the pure states comprising 
the ideal input as 7r*, where i goes from 1 to the number of qubits, we have that: 

||p-07 r *||Tr < e (1) 

l 

Note that p is of the same dimension as (^) • 7r* as it does not contain any ancilla qubits from the 
environment. Given the definition of robustness, we prove that: 

Theorem 1. The FK protocol is robust and given an input which is e-close to its ideal value, the 
completeness is lower bounded by 1 — 2e and the soundness bound changes by at most 0{y/e). 

Because we are tracing out the environment, which could be controlled by an adversary, the security 
of the protocol, with a deviated input state, needs to be re-established. We highlight this in the 
following proof sketch of Theorem [l} 

Proof sketch. We first examine soundness which considers the case of a dishonest prover. Intuitively, 
when the prover is malevolent, he will try to convince the verifier to accept an incorrect outcome 
and thus deviate from the correct protocol. However, as shown in [T], no matter how much the 
prover deviates, the probability for the verifier to accept a wrong outcome is bounded. If the input 
to the protocol is already deviated from the ideal, one could expect that the soundness bound 
remains unchanged. The effect of a deviated input could be incorporated in the deviated actions of 
the prover. This is indeed the case when the input is uncorrelated with any external system and 
we can express the deviation as a CPTP map (see Lemma [7] for detailed proof). 

In the general case, however, the deviated input could be correlated with subsystems controlled 
by adversaries. This deviation could be used by the prover to improve his cheating probability. 
Mathematically this is manifested by the fact that the prover’s action in the presence of initial 
correlations is not in general a trace preserving map. It can be expressed as a linear combination 
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of a CPTP deviation and an inhomogeneous term which could be either positive or negative as 
shown in the |30j. In this case, we use the e-closeness of the input state to derive a bound of order 
0(y/e) for the norm of the inhomogeneous term. From linearity, and using the previous argument 
it follows that in the general case the soundness bound changes by at most 0{y/e) (see Lemma [8] 
for detailed proof). 

In the case of completeness, we are assuming the prover is honest. If we start with an e-close 
input state, because of the linearity of the operators involved, we will end up with an output state 
that is 0(e)-close to the ideal output (see Lemma [9] for detailed proof). □ 

A similar approach to Lemma[7]was used in [31] for defining approximate blindness, and in [21] to 
prove universal composability for blind quantum computing protocols. However, to our knowledge, 
these results are not strong enough to cover the requirements for the composition with the RUV 
protocol. In m only the blindness property was examined while verifying the computation was not 
considered. In [21J they considered local-verifiability which does not take into account for example, 
the possibility of correlated attacks such as those that are possible when the two provers have a 
prearranged correlated strategy. 

2.2 Composition 

One of our main objectives is to construct a device independent version of the FK protocol. The 
first step, was to show that FK is robust. This property guarantees that if we have an input state 
that is only approximately the ideal one, the protocol continues to work. We can now break the 
task of achieving device independent FK into two parts, which we need to compose sequentially. 

1. State Preparation - use a device independent protocol to prepare on the prover’s side a 
state which is e-close to the FK input. 

2. Verified Delegated Computation - run the FK protocol with the prover that has the 
e-close input state (since robustness allows this). 

The advantage of this technique is that we are free to use any protocol for state preparation as long 
as we have the guarantee of e-closeness. This is due to our strong robustness result, which shows 
that FK will work even if the deviation in the prepared state is correlated with the prover’s cheating 
strategy in the delegated computation stage. In this paper, we achieve state preparation using the 
device-independent state tomography sub-protocol of RUV. This sub-protocol has the e-closeness 
property that we require, as explained in [20]]. The resulting composite protocol will have a better 
round complexity than the full RUV protocol for the verification of quantum computations. The 
complexity can be improved further if a more efficient state preparation protocol is used. Recently, 
in an independent work that simultaneously appeared with our arxiv version, a more efficient 
scheme for state preparation is proposed that is based on a self-testing approach [32] rather than 
the rigidity of CHSH games 129- 

We first clarify some details of the RUV protocol, which are essential in understanding how our 
composite protocol will work. RUV uses the rigidity property of CHSH games to determine that the 
provers share multiple copies of the Bell state |<f> + ) = (100) + 111))/\/2, which is XZ-determined. 
They can then use XZ state tomography to verify the preparation of any other XZ-determined 
state. In particular, they use it to tomographically verify the preparation of a set of states which 
can be used to perform universal computation. They also describe how it is possible to extend 
the protocol in order to have full tomography with the Y operator as well [20j. However, because 
they are using the |d> + ) Bell state, it is only possible to fix the Y operator up to a sign change. 
That is, the provers can always choose to measure in either the Y or —Y bases without being 
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detected (this corresponds to complex conjugating the states with respect to their representations 
in the computational basis). In fact this problem has been noticed by others as well [T2l [33 ]. As 
explained in m , it is possible to force the provers to consistently choose either Y or —Y for their 
measurements. This makes the resulting state prepared by state tomography close to either the 
ideal state or the complex conjugate of the ideal state. 

At first glance it would seem that this could be problematic for the FK protocol. We would have 
to show that running the FK protocol with an input state that is close to the complex conjugated 
version of the ideal input would be detected by the verifier. Intuitively this is the case, since trap 
qubits are in the AV-plane and complex conjugating them would lead to different measurement 
outcomes. We will not prove this and instead provide a simpler solution. 

The problem stems from the fact that we are using the AZ-determined |<b + ) state. Let us 
instead consider the state |T + ) = (|01) + |10))/a/2. Using Theorem [ 2 ] from [20], and the fact that 
|'F + ) has stabilizer generator set {A" (8) A, Y (8) Y} which belongs to {/, A, y}® 2 we have that this 
state is Ay-determined. 


Theorem 2. f2Df A stabilizer state is determined by any of its sets of stabilizer generators. 


In principle it is possible to run a form of the RUV protocol in which we choose the CHSH games 
such that we rigidly determine that the provers share multiple copies of the Bell state |'F + ) instead 
of |<h + ). Analogous to the previous case, the extended form of the protocol would then fix the Z 
operator up to a sign change (instead of the Y operator). This means that the provers can always 
perform a reflection about the Ay plane with no noticeable changes. However, the XY plane states 
are invariant under such a reflection. We can therefore use this to prepare the input which will be 
used by the FK protocol. The only problem we encounter is that we also require the preparation of 
|0) and |1) states which act as dummy qubits in the FK protocol pQ. As described in Protocol [I] these 
dummy qubits are measured in order to “break” the dotted-complete graph into the computation 
graph and the two trap graphs. The problem is that the XY plane reflection has the effect of 
flipping the computational basis states (state |0) becomes |1) and state |1) becomes |0)). However 
this deviation (flip) has to be applied globally otherwise it affects the statistics of the CHSH game 
and thus the verifier rejects m ■ Such a global flip is detected by the FK protocol. A formal proof 
is given in Lemma 10, Section [4j while below we give a sketch of the proof. 

In the honest scenario for the FK protocol, the measurement of a dummy qubit in state |1) 
introduces an additional Z correction to its neighbouring qubits (this is because we are using the 
controlled-Z operation for entangling qubits). Hence in a malicious setting the effect that a flip 
has on a trap qubit with an odd number of neighbouring dummy qubits, leads to an extra Z 
operation. Such a Z flip changes a |+e) state to |— 0 ). Thus, the measurement of this trap qubit will 
deterministically fail and the verifier will detect this. On the other hand, since the verifier chooses 
the input, he can always pad the computation such that the overall graph has trap qubits with an 
odd number of neighbour dummy qubits. This is due to the fact that in a dotted-complete graphs 
(Definition [2]) , some of the traps will have N — 1 neighbouring dummy qubits. Therefore, if the 
size of the input computation N is odd, the verifier need only pad the computation size to become 
N + 1. 


Now we are in a position to construct the composite protocol which composes RUV with FK. 
We give a modified version of the state tomography protocol of RUV (see Protocol [ 3 ]) . Proof that 
Protocol [3] is valid verification protocol is given in Section [4] The purpose of this modification is 
to verifiably prepare the minimal resource states which are subsequently used as inputs for the FK 
protocol. 

The composite protocol, given as Protocol |4j is the sequential composition of the modified state 
tomography of Protocol [3] with both provers followed by the FK protocol with prover 1. Note that 


11 



Protocol 3 Modified State Tomography Protocol 

Assumptions 

Let S = {(l,0,0),(0,l,0),(0,0,l),^(l,l,0),^ I (l,-l,0),i(l,0,l),i(l,0,-l),i(0,l,l), 

4^(0, 1,-1)}. Let M v be a 2 outcome projective measurement defined by the projectors: 
\{I + v- ( X,Y,Z )) and \{I - v ■ (X,Y,Z)). 

Let the tuple (a,b) E S X 5 denote the measurements M a for prover 1 and Mb for prover 2 that 
they need to perform on their halves on an entangled state when instructed by the verifier. Sets of 
such tuples define CHSH games. For example the set {(1, 0, 0), (0,0,1)} x { (1, 0,1), ^(1,0, —1)} 
defines the XZ CHSH game. Given S, there are six such sets of CHSH games (two XZ. two XY 
and two YZ) |20| . For a suitable numbering of these games, let CHSHi be the zth CHSH game, 
i E {1, ...6}. 


Protocol 

The verifier alternates uniformly at random between the following subprotocols: 


1. CHSH games. Verifier referees 6 N sets of sequential CHSH games, such that each group of 
N sets is one of the six possible CHSH types of games. Each set consists of n g games between 
prover 1 and prover 2. For each group of N CHSH games the verifier rejects if the two provers 
win less than: 


cos 2 (7t/8 )Nn g - JNn g log (Nn g ) 

2\/2 * 


of the games. 


2. State tomography. Verifier chooses I\ E [ N ] uniformly at random and also randomly 
chooses CHSHi as one of the six possible CHSH games. Then he referees K — 1 sets of 
CHSHi games, sending the questions from the K th set to prover 1, while running a state 
tomography protocol with prover 2. In this protocol prover 2 is asked to prepare resource 
states by measuring his halves of the shared Bell states. This will collapse prover l’s states 
to the same resource states up to corrections. In the context of composition, these resource 
states will constitute the FK input. The verifier uses the measurement outcomes of prover 
1 to tomographically check this preparation. He rejects if the tomography statistics are in¬ 
consistent. In the end, if the verifier accepts, he concludes that with high probability prover 
1 has a state which is close in trace distance to the tensor product of resource states. The 
formal statement of this fact is given in Theorem [5j taken from {201 , and more precisely in 


Equation 42 from Lemma 12 


since prover 1 is involved in both state tomography as well as the FK protocol, the strong version 
of the robustness property is required. This is to address the effect of any potential correlated 
attacks where provers 1 and 2 have agreed in advance on a strategy. The deviations of prover 2, in 
the preparation stage, could be correlated with the deviations of prover 1 during the computation 
stage (FK). This is the first rigorous proof of a protocol that involves lifting the FK protocol to the 
entangled provers setting. We give here the correctness and soundness of this protocol and show 
that it is more efficient than the RUV protocol (Theorem [3]) while in Section [4] we give the proof 
of this theorem. 


12 









Protocol 4 Composite Verification Protocol 


1. Run the modified state tomography protocol (Protocol [3]). 

2. From the states prepared by this protocol on prover l’s side, select the input for FK and run 
the FK protocol with prover 1. (Protocol [I]) 


Theorem 3. Assuming the verifier wants to delegate the computation of a quantum circuit of size 
n, Protocol is a MIP* verification protocol having completeness lower bounded by 1 — 0(?r _1//128 ), 

soundness upper bounded by (§)^ 5 ^ + O(n^ 1 / 12 ), where d is the security parameter of the FK 
protocol, and round complexity 0{n c ), where there exists some constant c such that c > 2048. 

While the obtained round complexity is an improvement over RUV (Lemma [2]) it is still far 
from practical. However, we believe our approach serves as a proof of principle, that this type of 
composition can be beneficial. It also highlights where improvements could be made. It is the state 
tomography subprotocol that increases the round complexity, while the FK protocol has a relatively 
low complexity] The detailed proofs are given in Section [4] 

2.3 Fault Tolerance 

In constructing our composite verification protocol, we used the robustness of the FK protocol. Our 
last result is to characterise the difference between robustness and fault tolerance and to show that 
the FK protocol can be made fault tolerant using a topological error correcting code. Consequently, 
our composite protocol can also be made fault tolerant provided that the state tomography part is 
run on top of an error correcting code. 

As mentioned before robustness is a protocol’s ability to continue to function given a deviated 
input. Fault tolerance is when a protocol functions correctly in the presence of error prone devices. 
The essential assumption for robustness is that the actual (multi-qubit) input is e-close to its ideal 
value. Fault tolerant protocols, on the other hand, assume that errors can occur at each individual 
qubit. The faulty devices are usually represented by the action of a partially depolarizing channel: 
£ = (1 — p)[I] + |([V] + [V] + [ Z ]). Here p is the probability of error, and the square brackets 
indicate the action of an operator. This leads to the following observation: 

Lemma 3. Let a = <S>” =1 / 0 « be a system of n qubits. Assume each qubit goes through a partially 
depolarizing channel £ having probability of error p > 0. Let the state of the system, after all qubits 
have passed through the channel, be a' = ® 1 f =l £{pi). We have that ||cr — crffir < min(l,np) and 
there exist states a for which |<r — g'Wtt = 1- 

This means that the deviation of an n-qubit system from the ideal input is not bounded by some 
constant amount. This is intuitively clear, since by adding more qubits, we introduce more errors 
and the state of the composite system is further from its intended value. In contrast to this, when 
considering robustness, the distance between the actual and ideal state is bounded by an arbitrarily 
small quantity. We will now address how can we do verification in an error prone setting. 

Lemma 4. Assume we run the FK protocol with Nt traps and each qubit is subject to the action of a 
partially depolarizing channel £ having probability of error p > 0. Given the simplifying assumption 

“Note that the round complexity of FK could be further reduced to linear, if one is willing to admit a higher upper 
bound for soundness. 
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Protocol 5 Fault Tolerant FK Protocol 

Assumptions 

The verifier wants to compute the execution of a measurement graph G having n qubits. Both the 
verifier and prover’s devices are subject to noise modelled as a partially depolarizing channel acting 
on the preparation of the qubits and the application of the quantum gates. For single qubits the 
channel is described by: 

£, = (l-p)[/] + |(m + [i'] + [Z]) (2) 

And for two qubit states by: 

S 2 = (1 — p)[I ® /] + £([/ ® x] + • • • + [Z ® Z}) (3) 

15 

Additionally assume p < p CO rrect , where p CO rrect is a threshold such that depolarizing noise bellow 
this threshold is corrected by the topologically protected code from [ 28] . 

Let Q v denote a brickwork state encoding the graph G and containing one trap qubit, as explained 
in [T] . Let L v denote a fault tolerant encoding of the graph Q v using the topologically protected 
code from [28]. The encoding is done as explained in [33], hence C v will be decorated lattices (see 
Figures 1, 2 in |34jL The index v denotes the randomness in the 6 angles for the encoding as chosen 
by the verifier. Let S u = C U1 <g> C u2 ® • ■ • ® C UN , where R/ log < N < R/ log + 0(1), 

for some constants R > 1, c > 2 and z7 = {iq ■ ■ ■ vn}- We will refer to S u as a sequence of encodings. 

Protocol 

1. The verifier chooses R > 1 and constructs the random set v. 

2. The verifier prepares the qubits for the sequence S u and sends them to the prover along with 
instructions on how to construct S u . 

3. The verifier sends measurement instructions to the prover in order to compute the executions 
of the encoded graphs. 

4. The prover sends the measurement outcomes to the verifier. 

5. Steps 3 and 4 repeat until the verifier either accepts or rejects. 

The verifier rejects if any of the traps fail. He takes the outcome of the computation to be the 
majority outcome over all computations (graphs C Ui ). 


that if a qubit is changed (through the action of an X, Y or Z operator) it will produce an incorrect 
measurement outcome, the completeness of this protocol is upper bounded by (1 — p) Nt . 

It is evident that assuming faulty devices where each qubit behaves as if it crossed a partially 
depolarizing channel, the completeness of the protocol becomes exponentially small (as function 
of the number of traps). This is clearly unsatisfactory. The arguably simplest solution would be 
to alter the acceptance condition of the protocol. Since it is unlikely that all trap measurements 
succeed, even for honest prover, the verifier should accept a result if the traps that succeed are 
above some fixed fraction. 


14 







Lemma 5. Assume we run a modified FK protocol with Nt traps and each qubit is subject to the 
action of a partially depolarizing channel £ having probability of error p > 0. The modification is 
that the verifier accepts if there are fewer than Nt{p + e) mistakes at trap measurements, where 
e > 0 is a suitably chosen small number. The completeness of this protocol is lower bounded by 
1 — exp(— 2c 2 Nt). 

The above modification resolves the issue raised regarding the completeness bound. However, if 
we were to make such modification, we have the following consequence for the soundness of the 
protocol: 

Lemma 6. Assume we run a modified FK protocol with Nt traps, N qubits in total and each 
qubit is subject to the action of a partially depolarizing channel £■ having probability of error p > 0. 
The modification is that the verifier accepts if there are fewer than Nt(p + e) mistakes at trap 
measurements, where e > 0 is a suitably chosen small number. The soundness of this protocol is 

upper bounded ^2/ ( (3) 5 . 

We can see that introducing a threshold of acceptance leads to an increased bound on soundness. 
Again, expected, since we allow the prover to tamper with some of the traps (and, by extension, 
with the computation as well) without rejecting the output. To solve these problems we need to use 
a fault tolerant code. The FK protocol already uses a fault tolerant code to encode the computation 
graph. However this is done in order to boost the value of the soundness parameter. The trap qubits 
are not encoded with the code (only the computation is). Thus we propose a modified FK protocol. 
This is described in Protocol [5} In this protocol we encode both computations and traps in a fault 
tolerant code and use sequential repetitions (also used in [T7j). This leads to our final main result: 

Theorem 4. Under the assumption of a faulty setting where qubit preparation and quantum gates 
are subject to partially depolarizing noise having bounded probability p, Protocol^is a valid verifi¬ 
cation protocol having completeness 1, soundness upper bounded by (1/2) R , where R is a constant 
such that R > 1. The protocol has round complexity 0(n 2 ). 

The proof of this theorem (and previous lemmas) are given in Section [5j An important point to 
make is that the composite protocol we constructed can also be made fault tolerant. To achieve 
this the state tomography protocol should be run on top of a fault tolerant code. As mentioned in 
[20], in principle, this is straightforward for blind, verified computation, since the provers can work 
on top of a quantum error-correcting code and entanglement can be distilled with the help of the 
verifier [35l 56 ]. 

3 Proof of Robustness 

In this section we prove the robustness of the FK protocol. We start by first proving a simpler 
result, namely the robustness of the protocol under the assumption that the input is uncorrelated 
with any external system. We then remove this assumption and use our results to prove the main 
theorem, necessary for the composition with the RUV protocol. 

Lemma 7 . If the initial input state of the FK protocol is e-close to the ideal input state and 
uncorrelated with any external system, the soundness bound does not change. 

Proof. We will follow the same proof technique as in [1] and show that the soundness bound does 
not change. This is done by incorporating the assumption of a deviated input into that proof. The 
outcome density operator of the protocol is denoted Bj{v), where v denotes the verifier’s choices of 
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input variables and j ranges over the prover’s choices of possible actions (j = 0 is the correct/honest 
action). If the outcome is incorrect it means that all of the traps have passed, but the computation 
is not correct. This is associated with the following projection operator [lj: 

Pincorrect = (I - | * ideal) ideal \) ® I ( 4 ) 

ter 

Here, \^ideai) i'&ideal | is the ideal output state, and <S>teT \ r ft T ) ( r Jt T \ is the state associated with the 
trap qubits. Notice that we are projecting to a state in which the output is orthogonal to its ideal 
value, and the traps are correct. This expresses the fact that the verifier will accept an incorrect 
computation. The associated probability for that event is Pincorrect and can be expressed as: 

Pincorrect = P( l/ )Tr(P incorreci .Bj (is)) (5) 

V 

Which is a weighted average of the incorrect outcome probabilities (expressed by the trace operator) 
over all possible input states. The outcome density operator can be written as: 


/ 


Bj{y) =Tr P 


Joint system state cj u 


\ 


El b + cr) (b\c UCtb np((® p \o) <o|) 




v,b 






)PWct cfi \b) {b + C r | 


V 


Prover’s qubits 


( 6 ) 


Input state 


Notice the following, as explained in [lj: 

• We are tracing over the prover’s qubits; 

• We have denoted the joint state, comprised of the input and the prover’s qubits, as a u,b -, 

• j ranges over the prover’s possible strategies (j = 0 is the honest strategy); 

• b indicates the possible branches of computation parametrised by the measurement results 
sent by the prover to the verifier; 

• c r indicates corrections that need to be performed on the final, classical output due to the 
MBQC computation together with the random phase introduced by the verifier; 

• P is the computation that we want the prover to do; 

• fl is the prover’s deviation from the desired computation; 

• C VCt b are the corrections the prover applies to its quantum output depending on the mea¬ 
surement outcomes (as in the measurement-based model); 


We now need to incorporate the approximate input state into this operator. We will not use the 
e-closeness of the deviated state to the ideal one, and prove a stronger result, that the soundness 
bound does not change regardless of the input state. Concretely, assume the deviated input is: 


p v ' b = £ 




(7) 


Where £ is a CPTP map which represents any deviation from the ideal input state either from 
incorrect preparation, a malicious prover or faulty devices. This is equivalent to applying some 
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unitary U to the input state tensored with some environment qubits that are traced out. We can 
express this mathematically as: 


p v ' b = Tr E {U ({® E |0> <0|) (8) < v ' b ) rf) (8) 

The joint system state a u,b become^} 

<r v ’ b = Tr E {(® p |0) (0|) ® U ({® E |0) (0|) ® I*"- 6 ) (V’H) C/ + ) (9) 

Let us consider a new unitary V = (I <g>U). This allows us to rewrite the joint system state as: 


a v ' b = Tr E {V ({® E+P |0) (0|) <g> 




v.b 




v,b 


W) 


( 10 ) 


Since P , the computation, is a unitary operator, there must exists some unitary V 1 such that 
V = P^V'P. Substituting this into the previous expression gives us: 


^u,b\ /^u,b 


) Pty^P) 


a v ’ b = Tr E {P ] V’P ((® E+P |0) (0|) 

Incorporating Equation 11 into the expression for Bj(v) in Equation [6] we obtain: 

Bj(v) = Trp (E \b + c r ) (6| C Vo , b SlP 


( 11 ) 


(Tr E {P ] V'p((® E+p |0) (0|)<g> 

P ^Cl cb \b) {b + C r |) 




u,b 




u,b 


pW ] p)) 


( 12 ) 


The assumption of the lemma is that the input state is not correlated with any external system. 
Hence, the spaces E and P are independent. This means that the prover’s deviation, H, is not 
acting on E and therefore we can “push” the inner trace operator to the beginning of the equation. 
Also using the fact that PP^ = P^P = I, we obtain: 


Bj (y) = Tr P+E | b + c r ) (fr| 

b 

c„ C:b nv'p((® p+E |o) <o|) 

I b) (b + c r |) 




i/,6\ / 


)pty'Wcl 


vc,b 


(13) 


We can now include the input deviation given by V' into the prover deviation H, by considering 
IT = f W'. This is possible because we are bounding the probability over all possible deviations, H, 
of the prover in the computation and all possible deviations, V\ from the preparation part. Thus, 
we can consider this to be a single, global, deviation given by IT. 


Bj{u) = Tr P+E | b + c r ) (fr| 

b 

C„ Cjb n'P((® p+E |0) (0|) <g> \v v ' b } (v v ’ b \)PWcl o>b 

| b) (b + Crl'j 


(14) 


3 Here and in the following expressions we’ve used the fact that the partial trace is linear and can therefore be 
moved outside. 
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As a result, the above equation has the same form as the undeviated input scenario of Equation|6j 
This makes sense since all we have done is to incorporate the deviation of the input into the prover’s 
cheating strategy. The original proof continues as it is in [I], and the bound remains unchanged 

Pincorrect — 

□ 

The type of robustness guaranteed by this lemma is not sufficient to prove the security of any 
protocol that composes RUV with FK. For example if we use prover 2 of RUV to prepare the 
input of the FK protocol for prover 1, this input is in general correlated with prover 2’s system. To 
address this issue, we use from [20] the following corollary of the gentle measurement lemma and 
the special Kraus representation in the presence of initial correlations given in 113- 

Corollary 1. \20\j Let p be a state on H\ <S> Ho, and let n be a pure state on H\. If for some 5 > 0, 
Tr(7rTr2 p) > 1 — 5, then 

\\p — 7T <g> Ti'i p||ty < 2yf8 + b (16) 

Lemma 8. If the initial input state of the FK protocol is e-close to the ideal input state the 
soundness bound changes by at most 0{\/e). 

Proof. Consider a composite correlated state pab where systems A and B are not communicating 
and let pa = 7>b(pab) and p B = TrA(pAB)- If PA is used as input for the FK protocol, the 
existence of correlations (not present in the previous lemma) can be exploited by an adversarial 
prover. Hence the deviation can no longer be expressed as a CPTP map over this subsystem. As it 
is shown in [30], in presence of initial correlations defined as: 

Pcorr = PAB ~ PA® PB (17) 

the evolution of the subsystem pa is the following: 

PA —11-(pa) + bp a (18) 

Here £ is a CPTP map and bp a is an inhomogeneous term which is added to the CPTP evolution 
due to the presence of initial correlations. In addition we have the following property: 

bp A = Tr B (U A BPcorrU \ B ) (19) 

We can see that substituting pa in the outcome density operator of the FK protocol gives different 
soundness bound than the one in Lemma [7] The difference stems from the extra bp term. However 
we can use the fact that p is e-close to the ideal state (lemma assumption) to show that the norm 
of bpA is at most of order 0(y/e). To prove this we first find a bound for the norm of p cor r , and 
since bp a is just a CPTP map applied to p cor r it follows that the norm of bp a has the same bound. 
Moreover, the action of the FK protocol can be modelled as a CPTP map, therefore acting on bpA 
will not increase the norm. It follows that the overall soundness bound changes by at most 0(yfe). 
If we denote the ideal state as \fj), we know that: 

\\PA ~ IV’} (V’l ||tv < e (20) 
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It is also known, from the relationship between fidelity and trace distance, that: 


1 - (lp\p A \lp) <|| PA- \lp) 
Combining these two yields: 

PA \ip) > 1 — e 


TV 


( 21 ) 


( 22 ) 


Recall that Tr(\ip) (ip\ pa) = (ip\ Pa \ip), using Equation 22 and Corollary [l] (where p is substituted 
with pab and n with | ip) (ip |) we have: 


II PAB ~ \tp) 


' Pb\\tv < 2y/e + e 


(23) 


The trace norm of p corr is simply the trace distance between pab and pa® Pb as can be seen from 
the definition. Using the triangle inequality, we have: 

Wpab ~ pa® PbWtv < || pab ~ | ip) (ip\ ® PbWtt + || | ip) (ip\ ® Pb~ PA® Pb\\tt (24) 

For the last term, using the additivity of trace distance with respect to tensor product, we get: 

II | ip) (ip\ ® Pb - PA® PbWtt < II | ip) (ip | - Pa\\tt + || Pb - PbWtt = e (25) 


Combining these last three inequalities we obtain: 

Wpab — PA ® Pb\\tt < 2-v/e + 2e (26) 

Since 0 < e < 1, the bound is of order 0(y/e). We have therefore bounded the norm of p corr and 
thus the norm of dpA- 

We can now take our expression for the deviated input from Equation [18] and substitute it into 
Equation [8j from Lemma [7j Since trace is a linear operation, it will result in the addition of an 
inhomogeneous term to each equation that involves the outcome density operator. But since the 
inhomogeneous term has bounded trace norm, and the action of the outcome density operator is 
trace preserving, it follows that we obtain the same bound as in Lemma [7] with the addition of an 
extra term of order 0(y/e). This concludes the proof. □ 

Lemma 9. If the initial input state of the FK protocol is e-close to the ideal input state, the 
completeness is lower bounded by 1 — 2e. 

Proof. In the simplest sense, the FK protocol can be abstractly thought of as a CPTP map V , that 
takes some input state to an output state. Since we are assuming the prover is honest, the output 
state will be Bq(v). However, this is in the case where the input is assumed to be ideal. We are 
dealing with a deviated input, hence our output state will be B' 0 (n). Writing these out explicitly 
we have: 


B 0 (u) = V(\^) <*"1) 


(27) 


B' 0 (iy) = V(pn (28) 

Where, p v is the deviated input, and by assumption 

\\p v ~ |^) <4H ||tt < e (29) 
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Note that in the following we do not need to consider non CPTP map evolution since the provers 
are assumed to behave honestly. Hence even in the presence of initial correlation, the subsystem will 
evolve according to the desired CPTP map of the protocol. However CPTP maps cannot increase 
the trace distance, which leads to: 

\\Bo{v) - B' 0 (v)\\ Tr < I! K> ('H - p u \\Tr < e (30) 

This also applies for projection operators and if in particular we consider P CO rrect, the projection 
onto the correct output state, we also have that: 

||T > correct^o(^ / ) Tcorrect^o(^)I| tV < H-^O^) ^ (31) 

Next we use the reverse triangle inequality, which gives us: 

\\PcorrectBo(l / ) || jy | Pcorrect Bq ) 11 Tr \ L \\Pcorrect.B o(^) Pcorrect I f) (t) 11 Tr L £ (32) 

And since we are dealing with positive definite operators, we know that: 

\\PcorrectBo(,v')\\Tr — ^ r Fr(P C orrectBo(y')') (33) 


\\PcorrectP()( l/ ')\\Tr — ^(-^"correct-^O^)) (34) 

But Tr(P correct Bo(i')) = 1 (the completeness when we have ideal input), so: 

|l - Tr (Pcorrect B'o(v))\ < 2e (35) 

Lastly, because Tr(P correc tB' 0 (n)) < 1, we get: 

1 - 2e < Tr(P correct B' 0 (u )) (36) 

Thus, the probability of accepting a correct outcome, under the assumption that the input state is 
e-close to the ideal input, is greater than 1 — 2e. □ 


It is now easy to see that the Proof of Theorem [l] follows directly from Definition[3]and Lemmas[8] 
and[9| Having the robustness property, the FK protocol can receive an input, which is e-close to 
its ideal value, from another protocol. As we have shown, even if this input is correlated with an 
external system, we can still perform the verification as long as we have e-closeness. 


4 Proof of Compositionality 


To prove the security of the composite protocol (Theorem [3]), we first need to prove that the FK 
protocol rejects with high probability a state close to a reflection about the AK-plane (Lemma 10). 
Then we prove that the modified state tomography protocol (Protocol [3]), satisfies the e-closeness 
property required by the (robust) FK. This is achieved by showing Lemmas |11| and 12. Finally we 
give the proof of Theorem [3j 


Lemma 10. If the initial input state of the FK protocol is e-close to a reflection about the XY -plane 
of the ideal input state, the protocol will reject it with high probability. 
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Proof. First we note that the input to the FK protocol consists of XT-plane states and dummy 
qubits which are either |0) or 11). The XT-plane states are invariant under the reflection, while the 
dummy states will be flipped. Assume that there is a trap that has an odd number of (dummy) 
neighbours. The verifier knows that he sent the state |+g) and expects to make a Z correction if 
the number of |1) neighbours is odd. However, if instead of what the verifier expects, there is an 
overall reflection with respect to the XT-plane, then for each of the neighbours of the trap there 
will be a new Z correction (the |0) will become |1) inducing a Z. while the |1) will become |0) 
undoing the previous Z correction, which is equivalent with another Z correction since Z 2 = 1). 
Therefore, if the neighbours of a trap are odd in number, he will expect the exact opposite result 
and will deterministically detect the deviation. For this to happen it suffices that the verifier makes 
sure that at least one trap has odd number of neighbours, something that can be easily achieved. 
Therefore, the FK protocol will always reject the reflected ideal input state. Given that the input 
is e-close to this, we have shown in Lemma [8] that the outcome density operator changes by at most 
0{y/e) from its ideal value. Thus, the output state is 0{yfe) close to the reflected ideal input state. 
It follows that the protocol will reject this state with at most probability 1 — 0(y/e). □ 

In proving the correctness of our protocol we first need to show the correctness of the modified 
state tomography protocol. Here we focus on the main results that we use for showing the correctness 
and security of this protocol. We start with a theorem from [20] : 

Theorem 5. f20 '] Fix Q = { vr 1 ,..., 7r 2<? } a complete, orthonormal set of q-qubit XZ-determined 
pure states. For a sufficiently large constant a and for sufficiently large n, let m = m(n ) > qn and 
N > m a . Let a E [ m] qn be a list of distinct indices. Consider a combination of the following two 
protocols between the verifier, Eve, and the provers, Alice and Bob: 

1. CHSH games: In the first, protocol, Eve referees Nrn sequential CHSH games. She accepts if 

| {j E [Nm] : AjBj = Xj © Yj} | > cos 2 (7r/8)./Vm — jy m \ 0 g(Nm ) . (37) 

2. State tomography: In the second protocol, Eve chooses I\ E [N] uniformly at random. She 
referees (K — 1 )m CHSH games. For the Kth set, she referees a state tomography protocol 
with parameters q, n, m, Q and a. She accepts if the following criteria are satisfied: 


max \#{j : Oj = o} — n/2 q \ < A q ^/n log n (38a) 

max I t°’ P — Tr(7r°P)| < A q W (log n)/n . (38b) 

oe[2TPe{/,x,z}®9 

The combined protocol satisfies the following completeness and soundness conditions: 

Completeness: If Alice and Bob use Nm shared EPR states to play the CHSH games according 
to an ideal strategy, and if Bob uses an ideal strategy with respect to the projections Q on 

the Kth set of m EPR states in the state tomography protocol, then in both protocols, 

Pr [Eve accepts\ > 1 — 0(n -1 / 2 ) . (39) 

Soundness: Assume that for both protocols, Pr [Eve accepts] > 1 — n -1 / 3 . Let p be Alice’s state in 
the second protocol after (K — 1 )m games and conditioned on Bob’s messages 
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0\,..., O n . Then there exists an isometry X A : PL a (C 2 )® m <E> Pl' A such that letting p a j be 
X A pX A t reduced to Alice’s qubits { a(j,i ) : i G [q]}, 


Pr 


\{j G [n\ : Tr(p a>j Tr°i) > 1 - 0(n" 1/16 )}| > (l - 0(n" 1/16 ))n] > 1 - 4n" 1/12 . (40) 


//ere, f/ie probability is over K, the first (K — 1 )m games and Oi ,..., O n . 
We give the following corollary to this theorem: 


Corollary 2. By changing the measurement operators accordingly, a state tomography protocol 
for q-qubit XA r -determined (YZ-determined) states exists, and achieves the same completeness and 
soundness bound as the one from Theorem [5| 

Proof. As mentioned, if we consider the extended CHSH game (comprising of 6 CHSH games) and 
try to rigidly determine the existence of a tensor product of |\k + ) states, we can fix the strategies 
of the provers up to an XY plane reflection. In particular, the results of an XZ state tomography 
in the original setting hold here for XY (YZ) tomography. Therefore, it is possible to certify the 
preparation of g-qubit XY -determined (YZ-determined) states. Q 

We can now present the main lemma proving that Protocol [3] is a verification protocol. 

Lemma 11. Protocol [ 5 ] has completeness lower bounded by 1 — 0(re -1 / 2 ) and soundness upper 
bounded by 0(n 1 ^ 12 ). 


Proof. According to corollary [2j the six state tomography protocols that constitute Protocol [3] are 
valid verification protocols achieving the same bounds for completeness and soundness as the orig¬ 
inal protocol from Theorem [5} We will ignore the case of XY plane reflections since, as we have 


shown in Lemma 10, these are detected with overwhelming probability by the FK protocol. These 
protocols can be “stitched” together in the same way the subprotocols of the RUV protocol are 
stitched together. In fact, our case requires a much simpler analysis since the six state tomogra¬ 
phy protocols are independent of each other. This means that in each subprotocol, the verifier is 
not basing his questions on the results of any previous subprotocol. This nonadaptive technique 
contrasts the RUV protocol in which the questions were adaptive. In the case of honest provers, 
the verifier accepts if all subprotocols succeed. For each one, we know from Theorem [5] that the 
probability of acceptance is > 1 — 0(n -1 / 2 ), hence for the whole protocol the probability of accep¬ 
tance is > (1 — 0(n -1//2 )) 6 = 1 — 0(n -1 / 2 ). Thus, we see that the completeness bound remains 
unchanged. For soundness, assuming the provers are dishonest we know, again from Theorem [5j 
that the probability of accepting an incorrect outcome is < 4n -1 / 12 . In our protocol, the provers can 
be dishonest in any of the six subprotocols, therefore, by a union bound the probability of accepting 
an incorrect outcome is < 6 ■ 4n -1 / 12 = 24n~ 1//12 . Therefore, we can say that the soundness of our 
protocol is upper bounded by 0(n~ 1 / 12 ). □ 

We are now able to give the proof of our main result (Theorem [3]) which concerns the properties 
of the composite protocol (Protocol [4]). To do this, we require an additional property. 


Lemma 12. Assume the verifier wants to prepare a state p consisting of tensor products of qubits 
which are all determined in either the XZ, XY orYZ bases. A successful run of Protocol^ certifies 
that, prover 1 has a state p' such that p and p' are close in trace distance. 
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Proof. The proof is partially given in [20]. In the state tomography protocol, a prover prepares 
multiple copies of a resource state. In |20j it is stated that if the verifier accepts, then, with high 
probability, a subset of states of the prover are close in trace distance to copies of the resource 
state. 

The soundness condition of Theorem [5] states that: 


Pr 


|{j € [n] : Tr(p 0 -jTT° : ’) > 1 — 0(n 1 ^ 16 )}| > (l — 0(n 1 / 16 ))n > 1 — 4n 1 Z 12 


(41) 


It is shown in }20| that this condition translates to the fact that with probability at least 1 — 
0 (n~ 1,/48 ) we have: 

||ps(0i,„) — 11 tv < 0(n _1/,e4 ) (42) 

Where S is uniformly random subset of size 0(n 4 / 64 ). If we denote 0(n -1 / 64 ) as e, 0(n _1,/48 ) as p, 
Ps{0\, n ) as p e and as pid then the state p', that prover 1 has, is: 

P' = (l~p)p e +p(I - p e ) (43) 


We can see that, for sufficiently large n, the values of p and e tend to 0. Consequently, p' approaches 
p e and p e approaches the ideal state, p u [. Computing the trace distance between p' and we 
obtain: 


\\P ~ Pid\\Tr = ||(1 ~P)Pe +P{I ~ Pe) ~ Pid\\Tr < ||Pe “ Pid\\Tr + \\p(I ~ 2p e )\\ Tr (44) 

And using inequality |42] we have: 

\\p' - Pidhr < 0(n-^) + 2 p = 0{n- l / QA ) + O^" 1 / 48 ) = O^" 1 / 64 ) (45) 


Therefore, the state that prover 1 has, conditioned on his messages Oi, n , is close to the state 
comprised of copies of the resource states. Depending on which type of state tomography is done, 
the resource states are determined in either the XZ, XY or YZ bases. □ 


Proof of Theorem [3]. According to Lemmas 11 and 12 Protocol [3] is capable of preparing with 
high probability, a multi-qubit state p on prover l’s side, such that p is e-close to a tensor product 
of states determined in either the XZ, XY or YZ bases. In fact, each subprotocol is capable of 
such a preparation. For the two XY state tomography protocols we choose the resource state to 
be: 


1 +) ® I+tt/ 4 ) ® I+271-/4) ® 1+377/4) ® 1+477/4) ® I+577/4) ® I+677/4) ® I+777/4) ( 46 ) 

For the two XZ state tomography protocols we choose the resource state to be: 

|0)®|1)®|0)®|1) (47) 


This allows us to prepare multi-qubit states on prover l’s side which are close in trace distance 
to the FK input consisting of XT-plane states and dummy qubits (the 10), |1) qubits). If we de¬ 
note as p\ the multi-qubit state consisting of multiple copies of the XY resource state and P 2 as 
the multi-qubit state consisting of multiple copies of the XZ resource state, then the FK input is 
effectively pi ® p 2 - Lemma 12 shows that with high probability prover 1 will have a state p\ that 
is e prep -close to pi and a state p' 2 that is e pr . e p-close to P 2 , where e prep = 0(n -1 / 64 ). Therefore, 
p\ <gi p' 2 is 2e pr . e:P -close to pi <S> P 2 - Moreover, in [20] it is proven in the state tomography protocol 
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prover 1 is completely blind regarding his state. Given this, and using Theorem [lj we can compose 
the modified state tomography protocol (Protocol [3]) with the FK protocol to achieve a new blind 
verification protocol. The state p\ <S> p 2 is used as input for the FK protocol, since it is e-close to 
the ideal input, where e = 2 e prep . 

The bound on completeness for the new protocol can be computed from the completeness bounds 
of the constituent protocols. In the honest provers setting, the verifier’s acceptance probability for 
modified state tomography is 1 — 0(n ^ 1 ^ 2 ), and for FK with deviated input it is 1 — 0(y/e) = 
1 — 0(n -1 / 128 ). Multiplying these together and taking the leading order terms we find that com¬ 
pleteness of the protocol is upper bounded by 1 — 0 (n -1 / 128 ). 

For soundness, in the dishonest setting if the verifier would reject in either modified state tomogra¬ 
phy or FK then he would reject in the new protocol as well. The bound on soundness for modified 

state tomography is 0(n~ 1 ' 12 ) and for FK is ( 3 ) 5 , where d is the security parameter of the FK 
protocol that specifies the size of the encoding for the computation graph. From a union bound we 
get that the soundness for our composite approach is ( 3 ) 5 + 0 (n -1 / 12 ). 

The last part of the proof deals with the round complexity of our composite approach. In the 

we mentioned that prover l’s state restricted to subset of C^n 1 / 64 ) 


12 


previous proof of Lemma 
qubits is close in trace distance to the ideal state. However we need n to be sufficiently large so that 
this subset of qubits can encompass the entire FK input. We know that the FK input comprises of 
0(|C| 2 ) qubits, where C is the computation the verifier wants to perform. This means, that we need 
0 (|C| 128 ) qubits in total so that we can claim that a state of 0 (|C| 2 ) qubits is close to its intended 
value. Recall that from Thereom[5], the number of rounds for state tomography is 0(n a ), where we 
know from [ 20] that a > 16. This means that the total number of rounds must be 0(|C| C ), where 
c > 128 • 16 = 2048. If we relabel n to be \C\ then the round complexity is 0(n c ). □ 


5 Proof of Fault Tolerance 

The main result of this section is the proof of Theorem [4] that gives a fault tolerant FK protocol. 
We first prove Lemmas iBi and [ 6 ] that as stressed in Section |2.3[ highlights why we cannot use 
results similar to the robustness and why the simplest approaches fail. Then we proceed in the 
proof of Theorem |4j 

Proof of Lemma [3} We can compute a bound on the trace distance between an arbitrary qubit 
Pi and £(pi): 

II Pi ~ £(Pi)\\Tr = I! Pi - (1 - p)Pi ~ ( p/mx} + \Y] + [Z])pi{[X\ + \Y] + [Z])\\ Tr (48) 


\\Pi-£(Pi)\\Tr= P \\Pi - (1/3)([X] + [y] + [Z]) pi ([x] + [y] + [z])\\ Tr (49) 

But we know that the trace distance is upper bounded by 1, so: 

\\pi-£{pi)\\Tr <P (50) 

Now we compute the trace distance between a = <S>^=iPi an d a ' = G>" = 1 £(/0i) : 

n 

Ik - cr'IlTr = II < 8>"=1 Pi - ®i =1 £{pi)\\Tr < ^2 II Pi ~ £(Pi)\\Tr < np (51) 
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Since the trace distance is upper bounded by 1 and since np can exceed 1 for sufficiently large n, 
we have: 


11 (j — (J / 11 T r — min ( 1 , np') (52) 

Consider er = <S>” =1 |0) (0|. Under the action of the depolarizing channel the trace distance between 
a and a' is n\\ |0) (0| — £(|0) (0|)||xr- However || |0) (0| — £(|0) (0|)||xr = therefore the distance 
between a and a' is n \For sufficiently large n this can clearly reach the maximum value of 


1. 


n 


Proof of Lemma [4} Because of the action of the partially depolarizing channel, each trap qubit 
has a probability p of being changed. We make the simplifying assumption that an affected qubit 
will produce a wrong measurement result. This assumption is only valid for completeness, where 
we assume that the devices are honest but fault}Q We then have that the probability of a trap 
measurement producing a correct outcome is upper bounded by 1 —p. Given that trap measurements 
are independent of each other, and assuming we have Nt traps, the probability that all trap 
measurements produce correct outcomes is upper bounded by (1 — p) Nt ■ Since the verifier accepts 
if and only if all trap measurements succeed it follows that the completeness is upper bounded by 

(1 -p) N t . □ 

Proof of Lemma [5} Define the following Bernoulli random variable: 

I 1, if measurement of trap t fails. 

Xf — < _ ( 53 ) 

10 , otherwise. 

Under the simplifying assumption of the previous lemma, we have Pr(Xt = 1) = p > 0. Next, we 
define: 

N t 

F = Y J x t (54) 

t= l 

It is clear that E(F) = NtP- Additionally, using a Hoeffding inequality, we have that: 

Pr(F > (p + c)Nt) < exp(—2e 2 IVx) (55) 

This gives the probability that the number of failed traps is greater than our threshold of jjNt ■ 
The complement of this is the completeness, which is therefore bounded by 1 — exp(— 2e 2 Nx) □ 

Proof of Lemma [6j Recall that soundness is the probability of accepting an incorrect outcome. In 
the original FK protocol this meant that all the traps succeeded but the computation output was 
orthogonal to the correct output. This is expressed with the projector P± ® Pp. Here P± projects 
the computation output onto the orthogonal state and Pt projects the trap outputs onto the 
correct outputs. If the accepting condition is given by a threshold of correct traps, the projector 
must change accordingly. This means that there should not be only one trap projector but one 
for each accepting situation. Taking the threshold to be pNp means that the verifier accepts if 
T = Nt — pNx traps succeeded. Since these traps can be any combination of T out of the possible 
Nt, there are ('^T) possible accepting situations. Therefore, the trap projector Pt becomes a sum 
of (^t) projectors (one for each accepting choice of traps). It therefore follows from linearity that 

the soundness bound becomes (^)(§) 4 5 - □ 

4 If the devices were dishonest, we would need to take into account the deviation on the trap qubits resulting from 

malevolent behaviour. 
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Proof of Theorem [4} In [34] . Morimae and Fujii show how a blind quantum computation can 
be made fault tolerant by encoding it in a topologically protected error-correcting code [28]. The 
encoding then uses a decoration trick so that the prover only needs to perform XT-plane measure¬ 
ments and this can be done blindly using the UBQC protocol in [T]. Here, we use the same idea to 
encode a computation which also contains an isolated trap. This follows from the first verification 
protocol introduced in [I] which uses a brickwork state to perform the computation. Encoding this 
in the fault tolerant code give us the lattice L v , which according to [34] can be executed blindly by 
the prover. 

Throughout the run of the protocol, if the prover is always honest then the fault tolerant code 
will correct for any errors (since we have assumed the error rate is smaller than the threshold of 
correctable errors). This proves that the completeness of the protocol is 1. 

To compute the soundness, note that the computed bound for the brickwork state protocol in [1] 
is: 


Pincorrect T 



(56) 


Where n is the number of qubits in the brickwork state. Similar to the robustness proof, the proof 
of this bound assumes that the outcome density operator of the protocol is projected onto a state 
where the trap succeeded but the computation outcome is incorrect. It is can been shown that the 
same bound as the non-fault tolerant case holds. This means that we have: 


Pincorrect T 



(57) 


Where n' is the number of qubits in a lattice C Vi , out of the N lattices used in the protocol. We 
note that n' is of the same order as n [28] , and we can choose a constant c > 2 such that 2 n' = cn. 
In Protocol[5]the verifier creates independent encodings C v , each depending on classical randomness. 
He accepts the sequence of encodings if all trap measurements succeed in each encoding. This means 
that the prover can deceive the verifier if he can deviate the computation in each encoding C u while 
at the same time passing all the traps. However, for any given encoding we know that the probability 
of this happening is given by Pincorrect, and because of independence, the prover will succeed for 
the sequence with probability: 

/ 1 \ N 

Pincorrect T ( 1 ) (b8) 

\ cn J 


We know that N/R> 1/log ■ However, this is equivalent to: 

N/R > -1/log (1 - — ) 

\ cn J 


(59) 


(N/R) log I 1 



< -1 


Note that we used the fact that log (l — ^) < 0. Through exponentiation we get: 

J _\ N/R 1 

cn) < 2 


(60) 


(61) 


26 



And we finally obtain: 


Pincorrect < 


1 

2R 


( 62 ) 


Hence, the probability that the prover deceives the verifier is less than (1/2)^ and so the soundness 
of the protocol is upper bounded by this value. 

Lastly we compute the round complexity of this protocol. For the given sequence we have N 
encodings and for each encoding we have 0(n) qubit^] and a corresponding round complexity of 
0(n) to compute the execution of that encoding. It follows that the overall complexity is O(Nn). 
But we know that N < R/ log ^1 + + 0(1), and given that R is a constant, we can show 

that N is O(n). This follows from the observation that dividing the function 1/ log ^1 + j with 
(cn — 1) gives a constant in the n —> oo limit: 


lirn (cn - 1) log ( H-—- ) = 

n—too \ cn — \ J In 2 

Incorporating this result yields overall complexity 0(n 2 ). Note that this proof technique works for 
the case of classical output since we are interested in the classical output of each encoding. The 
encodings are independent from each other, which allows us to bound the probability for the whole 
sequence. □ 

6 Conclusion 

We have shown that the single server universal verifiable blind quantum computing protocol of 
P-j is robust even against general adversaries. This protocol is currently the optimal protocol in 
terms of the verifier’s requirements. The robustness result further strengthens the scheme for re¬ 
alistic applications where the effect of noisy devices should also be considered, as highlighted in a 
recent experimental demonstration of the protocol HE- Moreover, it enables us to compose the FK 
protocol with other quantum verification protocols, extend it to the entangled servers setting and 
make it device independent. The key property that we proved, is that the protocol remains secure 
even against correlated attacks. To achieve this, we considered the deviation of the evolution of a 
correlated subsystem from the evolution of uncorrelated subsystems. The former could be written 
mathematically as a non-CPTP map which differs from a CPTP map by an inhomogeneous term. 
However, for inputs which are e-close to the ideal FK input, we showed that this deviation (the 
inhomogeneous term) is bounded by a term of order 0{y/e). Our proof technique is generic and 
can be potentially applied to other multi-party protocols where sequential composition is required. 
This result complements the ZocaZ-verifiability proof of [23] which is based on the universal compos- 
ability framework. The latter, in its current form, is insufficient for composing entanglement-based 
protocols, such as RUV, with the FK protocol because of the possibility of correlated attacks. 
Our robustness result, however, leads to a stand alone secure composite verification protocol. Ad¬ 
ditional^ the proposed composition scheme could potentially be used to extend the composable 
framework of [23] to incorporate multiple provers. 

5 Note that here, unlike in the composite protocol, we have a linear number of qubits for the protocol. This is 
because we are not using the dotted-complete version of the FK protocol, but the one using a brickwork state. It is 
explained in JT] that this version of the protocol requires O(n) qubits. 


(63) 
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Our proposed composite protocol achieves verification with a classical client (device indepen¬ 
dence) and gives improved round complexity in comparison to the RUV protocol. It uses only 
the (modified) state tomography part of RUV as input for the FK protocol. The improved round 
complexity of the composite protocol is still too high to allow for any practical implementation in 
the near future. However, the reason for this high round complexity is the state tomography sub¬ 
protocol and therefore, any improvement on how to prepare the FK inputs (e.g. by exploiting the 
shared entanglement of the provers or using self-testing techniques as in [32]) will directly improve 
the efficiency of our composite protocol as well. 

Finally we outlined how to make our verification protocol fault tolerant. To do so we constructed 
a fault tolerant version of the FK protocol which is interesting in its own right. This complements 
the work presented in [32j which addresses the fault tolerance of a (non-verihable) blind quantum 
computing protocol. We used the same topological error correcting code as [33] and a sequential 
repetition scheme in order to correct for faulty devices. 
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